Security Weekly Podcast Network (Audio)
Technology
For the Security News, we officially welcome Bill Swearingen to our expert panel of PSW hosts, and discuss the news including hacking shenanigans, QNAP, recovering crypto currency, Android malware, and more!
Then in a pre-recorded segment: Sonar Vulnerability Researchers Thomas Chauchefoin and Paul Gerste conducted research on the security of Visual Studio Code — the most popular code editor out there — which was presented at DEF CON 31 in August. The pair uncovered a few ways for attackers to gain code execution on a victim's computer if they clicked on a specially crafted link or opened a malicious folder in Visual Studio Code, bypassing existing mitigations like Workspace Trust. Developers tend to trust their IDEs and do not expect such security issues to exist. As developers have access to source code and production systems, they make for very interesting targets for threat actors. Important to note is that the security concepts that the two are able to demonstrate apply not just to Visual Studio Code, but to most other code editors. This is also the story of how the researchers got an unexpected $30,000 bounty from Microsoft for these bugs, by mistake!
Segment Resources:
BLOG POSTS Securing Developer Tools: Argument Injection in Visual Studio Code (https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/) Securing Developer Tools: Git Integrations (https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/)
CVEs CVE-2023-36742 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742) CVE-2022-30129 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-30129) CVE-2021-43891 (https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-43891)
Visit https://www.securityweekly.com/psw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Show Notes: https://securityweekly.com/psw-804
Angry mobs, Azure, Avanti, Rhysida, Warzone, Flipper Zero, Josh Marpet, and More - SWN #362
Zero-Trust is Meaningless if Your Cryptography is Flakey - Vincent Berk - ESW #349
RoboJoe, SHIM, Fortinet, FaceOff, Simswap, sudo in Windows, Aaran Leyland, and More - SWN #361
You Can’t Defend What You Can’t Define - Sergey Bratus - PSW #816
Teens Gone Wild, Nintendo, Anydesk, RUST, Google, Deepfakes, Jason Wood, and more - SWN #360
Starting an OWASP Project (That's Not a List!) - Grant Ongers - ASW #272
Security Money/Pick Your Battles To Avoid Overconsolidation - Jess Burn, Jeff Pollard - BSW #337
E-Coli, Mercedes, Cloudflare, Ivanti, VT, GIGO, AI, Congress, Aaran Leyland and more - SWN #359
The Elephant in the Pipeline: Securing the Wild, Untamed Software Supply Chain - Pete Morgan - ESW #348
Identifying Bad By Defining Good - Danny Jenkins - PSW #815
Getting Your First Conference Presentation - Sarah Harvey - ASW #271
Google, WhiteSnake, Outlook, NSA, Juniper, Jason Wood, and More - SWN #358
Cyber Readiness: Train As You Fight - William Hutchison - BSW #336
Veolia, FeverWarn, SystemK, Fortra, GitLab, Ring, Trickbot, Aaran Leyland, and More - SWN #357
What Smart CISOs and Mature Orgs Get That Others Don’t About Cyber Compliance - Matt Coose - PSW #814
2024: The Year Cross-Platform Endpoint Management Finally Gets Good? - Zach Wasserman - ESW #347
RoboJoe, Apple, VMWARE, AI, Confluence, Scarcruft, Microsoft, Jason Wood, and More - SWN #356
Dealing with the Burden of Bad Bots - Sandy Carielli - ASW #270
Say Easy, Do Hard, Hiring a CISO, Part 2 - BSW #335
Google, Pax, LeftOverlocals, Mint Sandstorm, DJI, Colossus, Aaran Leyland, and More - SWN #355
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
A Prairie Home Companion: News from Lake Wobegon